PIX config is not giving VPN clients a gateway address

Posted on 2006-05-15
Last Modified: 2012-08-13
I am using Cisco VPN client 4.6 and running PIX version  6.3(5). Everything with my vpn is working properly except that my VPN clients are not getting the Gateway pushed out to them, which is causing intermittent DNS issues. Here is a copy of the relevant parts from my PIX config. Please let me know what the command to add the gateway to clients would be or what else you may recommend. I will be looking into this myself and will post the solution if I beat you to the reply. Thanks in advance.

NDIFW# sho run
: Saved
PIX Version 6.3(5)
ip audit info action alarm
ip audit attack action alarm
ip local pool testPool
no pdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 netmask
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0 0
nat (dmz) 0 access-list dmz_nat
nat (dmz) 1 0 0
route outside 1
route inside 1
route inside 1
route inside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth max-failed-attempts 3
aaa-server partnerauth deadtime 10
aaa-server partnerauth (inside) host "" timeout 10
aaa authentication ssh console partnerauth
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set clientset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 30 set transform-set clientset
crypto map newmap 20 ipsec-isakmp dynamic dynmap
crypto map newmap client authentication partnerauth
crypto map newmap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication rsa-sig
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpngroup test address-pool testPool
vpngroup test dns-server
vpngroup test wins-server
vpngroup test default-domain
vpngroup test split-tunnel ndigroup_splitTunnelAcl
vpngroup test idle-time 1800
vpngroup test password
telnet timeout 5
ssh inside
ssh timeout 60
management-access inside
console timeout 0
terminal width 80
: end
Question by:Natldiag
    LVL 10

    Accepted Solution

    You want all the traffic to come throught the PIX? take out 'vpngroup test split-tunnel ndigroup_splitTunnelAcl' with

    no vpngroup test split-tunnel ndigroup_splitTunnelAcl

    This will make the tunnel gateway for all traffic from VPN clients.

    Author Comment

    I removed this command from my config and confirmed that the gateway is now being pushed out through the VPN client. I started to do a little research on this command, but still can not find out the benefit of it being put into my config in the first place, any ideas? I inherited this config. DNS is now resolving through VPN. Thanks for the help!
    LVL 10

    Expert Comment

    It is used for security reasons, if you want to limit access to your internetal network, you use the split-tunnel to define interesting traffic that will pass through the VPN tunnell. All other traffic will use Client's default gateway (commonly internet traffic).

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    Join & Write a Comment

    I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
    Join Greg Farro and Ethan Banks from Packet Pushers ( and Greg Ross from Paessler ( for a discussion about smart network …
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    25 Experts available now in Live!

    Get 1:1 Help Now